1. Who We Are
Pyzando (hereinafter "Pyzando", "we", "our") is a mobile payment link platform operating in the Democratic Republic of Congo (DRC) and other African countries. Our services enable merchants and businesses to create payment links and accept payments via mobile money networks (M-Pesa / Vodacom, Airtel Money, Orange Money, etc.).
As a digital payment services provider, Pyzando operates in compliance with applicable regulations on electronic money and mobile payments in the DRC.
2. Data We Collect
2.1 Identification and KYC Data
During registration and as part of our legal Know-Your-Customer (KYC) obligations, we may collect:
- Full name, date and place of birth
- National identity card (CNI) number or passport
- Physical and business address
- Phone number and email address
- Business name and legal form (for merchant accounts)
- RCCM number and tax identification number (for commercial entities)
- Supporting documents (ID, statements, articles of association)
2.2 Transaction Data
- Amounts sent and received, currencies (CDF, USD, etc.)
- Timestamps, transaction references, statuses
- Mobile money numbers of payers and beneficiaries
- Declared purpose of payment
- IP address and approximate location information
2.3 Technical and Usage Data
- IP address, browser type and operating system
- Pages visited, session duration, clicks
- API access logs (for merchant integrations)
- API keys (hashed and secured)
2.4 Communication Data
- Content of messages sent to our support team
- Notifications sent and their read status
3. Purposes and Legal Bases for Processing
| Purpose | Legal Basis |
|---|---|
| Account creation and management | Performance of contract |
| Payment and withdrawal processing | Performance of contract |
| KYC verification / AML compliance | Legal obligation (Law n°04/016 of July 19, 2004) |
| Reporting to competent regulatory authorities (CENAREF) | Legal obligation |
| Fraud detection and prevention | Legitimate interest / Legal obligation |
| Customer service and dispute resolution | Legitimate interest / Performance of contract |
| Platform improvement and analytics | Legitimate interest |
| Marketing communications (with your consent) | Consent |
4. Sharing Your Data
We do not sell your personal data. We may share your data with:
- Mobile money providers (Vodacom M-Pesa, Airtel Money, Orange Money, PawaPay, etc.) — for transaction execution;
- Competent regulatory authorities — in the context of our regulatory reporting obligations;
- CENAREF (National Financial Intelligence Unit) — for suspicious transaction reports relating to money laundering or terrorist financing, pursuant to Law n°04/016 of July 19, 2004;
- Judicial and security authorities — on order of a competent court or requisition by competent DRC state services;
- Technical service providers (cloud hosting, transactional email, SMS) — under data processing agreements guaranteeing an adequate level of protection;
- Auditors and legal advisors bound by professional confidentiality.
5. Data Retention
Retention periods are defined in accordance with the following legal requirements:
- KYC and transaction data: minimum 5 years after the end of the business relationship, in accordance with Law n°04/016 and FATF recommendations;
- Audit and security logs: 5 years;
- Communication and support data: 3 years;
- Technical data (server logs): 12 months.
6. International Data Transfers
In the course of our activities, your data may be processed by providers located outside the DRC (e.g. for cloud hosting or cross-border transaction processing). In such cases, we ensure that appropriate contractual safeguards are in place to guarantee a level of data protection equivalent to that required by Congolese regulations.
7. Data Security
We implement the following security measures:
- TLS/HTTPS encryption for all communications
- Encryption of sensitive data at rest (AES-256)
- Password hashing with bcrypt
- HMAC-SHA256 signed webhooks
- Role-based access controls (RBAC) and multi-factor authentication for admin accounts
- Regular security audits and comprehensive access logs
- Security incident response plan
In the event of a data breach likely to affect your rights, we will notify you as soon as possible, in accordance with applicable legal obligations.
8. Your Rights
Subject to legal retention and reporting obligations, you have the following rights:
- Right of access: obtain a copy of your personal data;
- Right of rectification: correct inaccurate or incomplete data;
- Right to erasure: request deletion of your data (subject to legal retention obligations);
- Right to data portability: receive your data in a structured, readable format;
- Right to object: object to processing for direct marketing purposes;
- Right to withdraw consent at any time, without affecting the lawfulness of processing carried out before such withdrawal.
To exercise these rights, contact us at: contact@pyzando.com.
Note: Some of your data cannot be deleted if retention is required by law (e.g. KYC and transaction data for AML compliance purposes).
9. Cookies and Similar Technologies
We use technically essential cookies required for the platform to function (session management, CSRF token). We may also use anonymized analytics cookies to improve user experience. You may configure your browser to refuse cookies, though this may affect some platform features.
10. Minors
Our services are intended exclusively for persons aged 18 and over. We do not knowingly collect data relating to minors. If you become aware that a minor has provided us with personal data, please contact us immediately.
11. Changes to This Policy
We may update this policy from time to time. The current version is the one published on this page with the date of last update. In the event of a material change, we will notify you by email or by notification on the platform.
12. Contact
For any questions regarding this policy or to exercise your rights:
Pyzando — Data Protection Officer
Email: contact@pyzando.com
Address: Kinshasa, Democratic Republic of Congo